Managing WSUS 3.0 from the Command Line

The wsusutil command-line utility is used in managing WSUS servers and is located in the WSUSInstallDir\Tools folder of WSUS servers. The table below summarizes the different parameters that can be used with this utility, and later sections explain the syntax and usage of each parameter.

注意

You can also use Windows® PowerShell® to access the WSUS 3.0 APIs from the command line.

Using the wsusutil utility

You must be an administrator to run the wsusutil utility. This utility is installed only on WSUS server machines, not on console-only installations.

注意

To see all wsusutil parameters, type wsusutil help on the command line. To see usage for each of the parameters, type wsusutil helpparameterName.

Summary of wsusutil Commands

Command Description
configuressl Updates the WSUS server registry key after the IIS configuration has changed.
healthmonitoring Configures health monitoring values in the database. If new values are not specified, the current values are displayed.
export Part of the export/import process used to synchronize a downstream WSUS without using a network connection. Exports update metadata to an export package file. You cannot use this parameter to export update files, update approvals, or server settings.
import The second part of the export/import process. Imports update metadata to a server from an export package file created on another WSUS server. This synchronizes the destination WSUS server without using a network connection.
movecontent Changes the file system location where the WSUS server stores update files, and optionally copies any update files from the old location to the new location
listfrontendservers Lists the front-end servers related to this WSUS server.
deletefrontendserver Deletes the specified front-end server from the WSUS database.
checkhealth Checks the health of the WSUS serve. Results will appear in the Application Event log.
reset Checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, downloads the update files again.
listinactiveapprovals Returns a list of update titles with approvals that are in a permanently inactive state because of a change in server language settings.
removeinactiveapprovals Removes approvals for updates that are in a permanently inactive state because of a change in WSUS server language settings.
usecustomwebsite Changes the port number used by the WSUS Web services from 80 to 8530 or vice versa.
#### configuressl Updates the WSUS server registry key after the IIS configuration has changed. If this command is run with the optional parameter *ServerCertificateName*, it updates the certificate name. If it is run without the optional parameter, it updates the setting for host headers, if there are any. For more information about configuring SSL for WSUS, see "Securing WSUS with the Secure Sockets Layer" in [Deploying Microsoft Windows Server Update Services](https://go.microsoft.com/fwlink/?linkid=79983) (https://go.microsoft.com/fwlink/?linkid=79983). #### Syntax The following command updates the host headers, if any: **wsusutil configuressl** The following command updates the server certificateName: **wsusutil configuressl** *ServerCertificateName* **//sets the server certificate name** ###  

Parameter Description
ServerCertificateName An optional parameter. When present, it provides the name in the Issued to field of the server certificate.
#### Output The output from the **wsusutil configuressl** command is the address of the WSUS Web site (including the port number), for example **https://serverName:443**. #### healthmonitoring This command sets and gets the different parameters for WSUS health monitoring. #### Syntax **Wsusutil healthmonitoring** *parameterName* > [!NOTE] > You may set or get only one parameter at a time. ###  

Parameter Description
**IntervalsInMinutes** *\[DetectInterval\] \[RefreshInterval\]* Sets the values for detect and refresh intervals. If the detect interval is 0, the detect cycle will not run. If the refresh interval is 0, the refresh cycle will not run. For more information about the detect and refresh cycles, see [Health Monitoring in WSUS 3.0](https://technet.microsoft.com/2e8a4be2-43b2-4a2c-96f6-667c4558f18d).
**DiskSpaceInMegabytes***\[ErrorLevel\] \[WarningLevel\]* Sets the amount of available disk space (in megabytes) at which a low disk space warning or error event should be logged.
**CatalogSyncIntervalInDays** *\[Days\]* Sets the number of days that should have passed after synchronization before a warning event should be logged..
**InstallUpdatesInPercent** *\[WarningPercent\]\[ErrorPercent\]* Sets the percentage of update installation failures at which a warning or error event should be given.
**InventoryInPercen***\[WarningPercent\]\[ErrorPercent\]* Sets the percentage of inventory reporting failures at which a warning or error should be given.
**SilentClientsInPercent** *\[WarningPercent\]\[ErrorPercent\]* Sets the percentage of clients not reporting to the server at which a warning or error should be given.
**SilentClientsInDays** *\[Days\]* Sets the number of days clients can fail to report before an error should be given.
**TargetComputersInPercent** *\[WarningPercent\]\[ErrorPercent\]* Sets the maximum percentage of target computers reporting to this server below which a warning or error event should be given. For example, if you set values of 80 and 60, a warning event will be logged if only 80 percent of computers have reported, and an error event will be logged if only 60 percent of computers have reported.
**CheckAcls** *on|off* If on, health monitoring should check ACLs on the relevant directories.
**CheckForLowDiskSpace** *on|off* If on, health monitoring should check for low disk space.
**CheckForCatalogSyncFailures** *on|off* If on, health monitoring should check for catalog synchronization failures.
**CheckForContentSyncFailures** *on|off* If on, health monitoring should check for content synchronization failures.
**CheckForEmailNotificationFailures** *on|off* If on, health monitoring should check for e-mail notification failures.
**CheckSelfUpdate** *on|off* If on, health monitoring should check for client self-update failures.
**CheckClientsExist** *on|off* If on, health monitoring should check whether this server has any clients.
**CheckForUpdateInstallFailures** *on|off* If on, health monitoring should check for update installation failures.
**CheckForInventoryFailures** *on|off* If on, health monitoring should check for clients failing to report inventory..
**CheckForSilentClients** *on|off* If on, health monitoring should check for clients that have failed to report to the server.
**CheckForTooManyClients** *on|off* If on, health monitoring should check whether the number of clients is approaching the maximum number allowed.
**CheckReportingWebService** *on|off* If on, health monitoring should check the Reporting Web service.
**CheckApiRemotingWebService** *on|off* If on, health monitoring should check the API Remoting Web service.
**CheckServerSyncWebService** *on|off* If on, health monitoring should check the Server Synchronization Web service.
**CheckClientWebService** *on|off* If on, health monitoring should check the client Web service.
**CheckSimpleAuthWebService** *on|off* If on, health monitoring should check the Simple Authentication Web service.
**CheckDssAuthWebService** *on|off* If on, health monitoring should check the Downstream Server Authentication Web service.

Output

The output from wsusutil paramName is usually the current state of the given parameter. Some examples are given below:

wsusutil healthmonitoring IntervalsInMinutes

Output:

Detect interval: 10 min, Refresh interval: 360 min

wsusutil healthmonitoring DiskSpaceInMegabytes

Output:

Error level: 200 MB, Warning level: 500 MB

However, with the parameters setting on or off the different health monitoring checks (for example, wsusutil healthmonitoringCheckAcls), the output will simply be a warning that the WSUS Service must be stopped and restarted for the change to take effect.

export

For more information about exporting and importing updates, see "Set Up a Disconnected Network (Import and Export Updates)" in Deploying Microsoft Windows Server Update Services (https://go.microsoft.com/fwlink/?linkid=79983).

Syntax

wsusutil export package logfile

 

Parameter Description
package The path and file name of the package .cab to create.
logfile The path and file name of the log file to create.
> [!NOTE] > Exporting from a WSUS 2.0 server to a WSUS 3.0 server (or from a WSUS 3.0 server to a WSUS 2.0 server) is not supported. #### Import For background and procedural information about exporting and importing updates, see "Set Up a Disconnected Network (Import and Export Updates)" in [Deploying Microsoft Windows Server Update Services](https://go.microsoft.com/fwlink/?linkid=79983) (https://go.microsoft.com/fwlink/?linkid=79983). #### Syntax **wsusutil import** *package* *logfile* ###  

Parameter Description
package The path and file name of the package .cab to import.
logfile The path and file name of the log file to import.
> [!NOTE] > Importing from a WSUS 2.0 server to a WSUS 3.0 server (or from a WSUS 3.0 server to a WSUS 2.0 server) is not supported. #### Movecontent When you run this command, **wsusutil** does the following: - Copies the update files from the old location to the new location. The old location is not deleted. - Updates the WSUS database to refer to the new location of the update files. - Ensures that the content and metadata are synchronized. This check is always run, even if the **–skipcopy** parameter is used. The destination folder to which update files are moved must be on an NTFS partition. The utility will not try to copy update files if they already exist in the destination folder. The destination folder will have the same permissions that were set on the original folder.

注意

You can use xcopy, the Backup utility, or other methods to copy update files from the old location to the new one. If you copy the files by using a method other than wsusutil, you still need to run wsusutil to perform the second part of the move, using the -skipcopy parameter. See the "Syntax" section for more information.

There are two scenarios in which you might move update files from one WSUS drive to another:

  • If the drive is full
  • If the hard disk fails

If the drive is full

If the drive where WSUS stores update files is full, you can do one of the following:

  • Add more space to your current drive by using NTFS functionality. This operation can be done without using wsusutil, because it does not affect WSUS configuration or operation.
  • Install a new drive, and then move the update files from the old drive to the new location by using wsusutil.

If the hard disk fails

If the hard disk fails, you must do the following:

  1. Install the new disk on your computer, and then restore the update files from your backup files. Note: If you have not backed up your update files, WSUSutil.exe downloads the missing files at the end of the content move operation.
  2. Run wsusutil movecontent newLocation, specifying the location for the new disk. In addition, you specify the -skipcopy parameter, because you are either putting the files in the new folder through the backup utility or the source folder does not exist; the update files will be downloaded at the end of this process.
  3. When the move operation is complete, all the missing files are downloaded.

Syntax

wsusutil movecontent contentpath logfile -skipcopy

 

Parameter Description
contentpath The new root for content files. The path must exist.
logfile The path and file name of the log file to create.
-skipcopy Indicates that only the server configuration should be changed, and that the content files should not be copied.
#### listfrontendservers This command lists the different front-end servers in a network load balancing configuration. It can be useful in troubleshooting a NLB (network load balancing) configuration and after setting up a new front-end server to make sure that it is configured properly. #### deletefrontendserver This command deletes the given front-end server. #### Syntax **wsusutil deletefrontendserver** *serverName* ###  

Parameter Description
serverName The name of the front-end server to be deleted.
> [!IMPORTANT] > This command removes the front-end server from the database only. You will need to run **wsussetup /u** on the front-end server to uninstall WSUS. #### checkhealth This command checks the health of the WSUS server. The health check is configured by **wsusutil healthmonitoring**). The results are written to the event logs. #### Syntax **wsusutil checkhealth** #### reset You use this command if you store updates locally on your WSUS server and want to ensure that the metadata information stored in your WSUS database is accurate. With this command, you verify that every update metadata row in the WSUS database corresponds to update files stored in the local update file storage location on your WSUS server. If update files are missing or have been corrupted, WSUS downloads the update files again. This command might be useful to run after you restore your database, or as a first step when troubleshooting update approvals. #### Syntax **wsusutil reset** #### listinactiveapprovals If you change language options on an upstream WSUS server, the number of approved updates on the upstream server may not match the number of approved updates on a replica server. For example, consider the following scenario. You configure your upstream server to synchronize all languages, then synchronize and approve 300 updates, of which 50 are non-English language updates. Afterward, you change the language setting on the server to English only. Later, a replica server synchronizes from the upstream server and downloads the "active" approvals, which now are only the English language ones (replica servers synchronize only active approvals). At this point, you will see 300 updates approved on the upstream server, but only 250 approved on the replica server. You can use **listinactiveapprovals** to see a list of the updates on the parent upstream server that are permanently inactive—in this case, the 50 updates that are not English. You do not have to run this command before running the **removeinactiveapprovals** command.   #### Syntax **wsusutil listinactiveapprovals** #### removeinactiveapprovals See the explanation above for a description of situations in which you might need to use **removeinactiveapprovals**. You do not have to run the **listinactiveapprovals** command before running this command.   #### Syntax **wsusutil removeinactiveapprovals** #### usecustomwebsite If you set this value to **true**, WSUS Setup will use port 8530 for its Default Web site. If you set it to **false**, WSUS will use port 80. > [!IMPORTANT] > You must use this command before you configure SSL. > [!IMPORTANT] > If you are installing SharePoint on the same machine as WSUS, the value of **usecustomwebsite** should be set to **true** before the install. > [!IMPORTANT] > Using this command after running WSUS Setup will fail if the index of the default Web site is set to a value other than 1. #### Syntax **wsusutil usecustomwebsite true**